CVE-2025-61726 in net-url
Summary
by MITRE • 01/28/2026
The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a large form containing many unique query parameters can cause excessive memory consumption.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 06/02/2026
The vulnerability identified as CVE-2025-61726 resides within the net/url package of go programming language implementations, representing a significant security concern related to resource exhaustion and denial of service conditions. This flaw manifests when the http.Request.ParseForm method processes URL-encoded forms containing an excessive number of query parameters without imposing any inherent limits on parameter count. The vulnerability stems from the absence of parameter validation controls that would normally prevent exploitation through malformed or intentionally crafted requests designed to consume excessive system resources.
The technical implementation of this vulnerability allows attackers to construct malicious URLs containing thousands or even millions of unique query parameters that can trigger excessive memory allocation during the parsing process. When the ParseForm method processes such requests, it iterates through all parameters and creates corresponding data structures in memory, leading to rapid consumption of available memory resources. This behavior directly violates the principle of resource limiting and can be exploited to cause memory exhaustion on affected systems, particularly when multiple such requests are processed concurrently. The vulnerability is classified under CWE-400 as an Uncontrolled Resource Consumption, specifically manifesting as a denial of service condition through excessive memory allocation.
The operational impact of this vulnerability extends beyond simple resource exhaustion to encompass potential system instability and service disruption across applications utilizing the go http package. Systems running affected versions become susceptible to memory-based denial of service attacks where an attacker can consume all available memory through carefully crafted requests, leading to application crashes, system slowdowns, or complete service unavailability. The vulnerability is particularly dangerous in high-traffic environments where multiple concurrent requests can compound the memory consumption effects. This type of attack aligns with ATT&CK technique T1499.004 for Resource Exhaustion, where adversaries leverage application weaknesses to consume system resources and cause service disruption.
Mitigation strategies for CVE-2025-61726 should focus on implementing parameter count limits within the application layer and utilizing defensive programming practices to prevent unbounded resource consumption. Developers should consider implementing custom form parsing logic that enforces reasonable limits on the number of query parameters, typically in the range of hundreds to thousands depending on application requirements. Additionally, application firewalls and web application firewalls should be configured to detect and block requests containing suspicious parameter counts. The recommended approach involves setting explicit limits during form parsing operations, typically through configuration parameters or custom middleware that validates parameter counts before processing. System administrators should monitor memory consumption patterns and implement automated alerting for unusual resource usage that might indicate exploitation attempts. The vulnerability underscores the importance of defensive programming practices and proper resource management in web application development, particularly when dealing with user-provided input data that should never be assumed to be within reasonable bounds.